Support
Overview
Support Options
Support Portal
Knowledge Base
Foundry27
Related resources
Priority support plan users guide
Standard support plan user's guide
Home
Support

Knowledge Base

BSPs and drivers
Community resources
Product documentation
Questions?
Contact us

How to set up an ftp chroot environment
 
________________________________________________________________________

Applicable Environment
________________________________________________________________________
  • Topic: How to set up an ftp chroot environment
  • SDP: 4.25, 6.3.0SP3, 6.4.1, 6.5.0
  • Target: Any supported target
________________________________________________________________________

Recommendation
________________________________________________________________________

How to set up an ftp chroot environment

------------------------------------------------------------------------------
Overview
------------------------------------------------------------------------------

The basic idea is that chroot "changes the root (/)" for a user. In the case of ftp, the new root is the user's home directory. What this means is that when the user is logged in via ftp, the client sees /home/username as / and interprets everything from there. This means that anything outside /home/username is completely inaccessible to the user. If an app is needed, it must be added to the user's home directory as it would to a regular QNX installation (usually in /bin, which translates to /home/username/bin in the ftp chroot jail). The following is an example of how to add ls to a chroot ftp jail.

------------------------------------------------------------------------------
Create a new user/group
------------------------------------------------------------------------------

1.Username: ftpguest
2. Home directory: /home/ftpguest
3. Group: [ftp group]

For information on Managing User Accounts under QNX/Neutrino:
6.5.0: http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=/com.qnx.doc.neutrino_user_guide/accounts.html
6.4.1: http://www.qnx.com/developers/docs/6.4.1/neutrino/user_guide/accounts.html
6.3.0 SP3: http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/user_guide/accounts.html
4.25: http://www.qnx.com/developers/docs/qnx_4.25_docs/qnx4/user_guide/accounts.html

------------------------------------------------------------------------------
Make sure ftp will work
------------------------------------------------------------------------------

1. Make sure that the file /etc/ftpusers exists that that it either has * (everyone) or the ftp user(s) listed.

For more information on this:
6.5.0: http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=/com.qnx.doc.neutrino_utilities/f/ftpusers.html
6.4.1: http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/f/ftpusers.html
6.3.0 SP3; http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/f/ftpusers.html

------------------------------------------------------------------------------
Create the chroot jail
------------------------------------------------------------------------------

1. Add the user to /etc/ftpchroot
-----a. Simply add the username on a line by itself

For more information:
6.5.0: http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=/com.qnx.doc.neutrino_utilities/f/ftpchroot.html
6.4.1: http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/f/ftpchroot.html
6.3.0 SP3: http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/f/ftpchroot.html

------------------------------------------------------------------------------
Find out what we need for the app we want to add to the user's chroot jail
------------------------------------------------------------------------------

1. run objdump on the app, like this:
-----a. "C:\QNX650\host\win32\x86\usr\bin\ntox86-objdump.exe" -x "C:\QNX650\target\qnx6\x86\bin\ls" | grep "NEEDED"
-----b. The location of objdump and ls might be different, depending on the Momentics install location
-----c. Make sure to pick the correct binary to run against, in this case we used the x86 version of ls but an arm processor would have required the arm version...
2. The output of objdump will be the libs needed to run the program.

Example - ls

D:\>ntox86-objdump.exe -x C:\QNX650\target\qnx6\x86\bin\ls | grep NEEDED
NEEDED libc.so.3

In this case, we can see that we'll need libc.so.3. Knowing we're running on an x86 platform, we can find libc.so.3 at: C:\QNX650\target\qnx6\x86\lib\libc.so.3 (path may vary depending on Momentics install)

------------------------------------------------------------------------------
Setup the home directory for the app we want to use
------------------------------------------------------------------------------

1. /home/ftpguest/bin
2. /home/ftpguest/usr/
3. /home/ftpguest/usr/lib

Copy over the binary and library. In the case of ls, our example, we only need one file. Here's where it gets a bit tricky, though. The file needed is libc.so.3 but the file that will be looked for ldqnx.so.2, which is located in /usr/lib on a QNX target and is actually just a link to /proc/boot/libc.so.3. This is also the case for any other apps so if libc.so.3 is needed, it will need to be renamed.

1. Copy C:\QNX650\target\qnx6\x86\lib\libc.so.3 into the newly created home folder under /home/ftpguest/usr/lib
2. Rename the file from libc.so.3 to ldqnx.so.2

NOTE: This guide assumes 6.5 or later, for 6.4 and lower versions, libc.so.2 might be specified as needed by objdump. This is still renamed to ldqnx.so.2, it's simply an older version of libc.

For more information about finding needed libraries:
6.5.0: http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=/com.qnx.doc.neutrino_building/config.html
6.4.1: http://www.qnx.com/developers/docs/6.4.1/neutrino/building/config.html
6.3.0 SP3: http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/building/config.html

------------------------------------------------------------------------------
Change the permissions
------------------------------------------------------------------------------

1. chown -R ftpguest /home/ftpguest
2. chgrp -R [ftp group] /home/ftpguest
-----a. I actually set the group to root which means only a root user can change the programs or libraries (or the owner). The only thing to watch for here is that the group has to be one that the admin user has access to (if the admin user isn't root).

For more information on file permissions:
6.5.0: http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=/com.qnx.doc.neutrino_user_guide/files.html
6.4.1: http://www.qnx.com/developers/docs/6.4.1/neutrino/user_guide/files.html
6.3.0 SP3: http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/user_guide/files.html
4.25: http://www.qnx.com/developers/docs/qnx_4.25_docs/qnx4/user_guide/accounts.html#FILEPERM

That's it, we've created a user and a jail for them. We then added ls and the library it needs, making sure to put them in the correct locations. This example will work out of the box but it would be a good idea to further delve into permissions for the files and directories, although that isn't strictly necessary. Any Unix file permission tutorial will suffice for that.

An important note to add is that the jailed user cannot access anything outside their jail which, in this case, means that they cannot access anything deeper than their home directory. This is to prevent the user from accessing system files. For this reason, also, symlinks in a user's directory that link outside the 'jail', will fail with an error.

________________________________________________________________________
NOTE: This entry has been validated against the SDP version listed above. Use caution when considering this advice for any other SDP version. For supported releases, please reach out to QNX Technical Support if you have any questions/concerns.
________________________________________________________________________


Related Attachments
 None Found





Please contact us with your questions or concerns.